From 521346dcc4c2d3c41b06f2f69e41a500aaa5453f Mon Sep 17 00:00:00 2001 From: Pragadeeswaran Sathyanarayanan Date: Fri, 30 Jul 2021 09:44:29 +0530 Subject: [PATCH] Add support for disabling SSL certificate verification Signed-off-by: Pragadeeswaran Sathyanarayanan (cherry picked from commit ea3caaa76bf80094596753cc8abab776f9c50253) --- s3tests.conf.SAMPLE | 3 + s3tests_boto3/functional/__init__.py | 27 ++++++++- s3tests_boto3/functional/test_s3.py | 83 ++++++++++++++-------------- 3 files changed, 71 insertions(+), 42 deletions(-) diff --git a/s3tests.conf.SAMPLE b/s3tests.conf.SAMPLE index 828ea90..c20376a 100644 --- a/s3tests.conf.SAMPLE +++ b/s3tests.conf.SAMPLE @@ -10,6 +10,9 @@ port = 8000 ## say "False" to disable TLS is_secure = False +## say "False" to disable SSL Verify +ssl_verify = True + [fixtures] ## all the buckets created will start with this prefix; ## {random} will be filled with random characters to pad diff --git a/s3tests_boto3/functional/__init__.py b/s3tests_boto3/functional/__init__.py index 8a9f4cc..99b6d23 100644 --- a/s3tests_boto3/functional/__init__.py +++ b/s3tests_boto3/functional/__init__.py @@ -9,6 +9,7 @@ import munch import random import string import itertools +import urllib3 config = munch.Munch @@ -166,6 +167,15 @@ def setup(): proto = 'https' if config.default_is_secure else 'http' config.default_endpoint = "%s://%s:%d" % (proto, config.default_host, config.default_port) + try: + config.default_ssl_verify = cfg.getboolean('DEFAULT', "ssl_verify") + except configparser.NoOptionError: + config.default_ssl_verify = True + + # Disable InsecureRequestWarning reported by urllib3 when ssl_verify is False + if not config.default_ssl_verify: + urllib3.disable_warnings() + # vars from the main section config.main_access_key = cfg.get('s3 main',"access_key") config.main_secret_key = cfg.get('s3 main',"secret_key") @@ -213,6 +223,7 @@ def setup(): nuke_prefixed_buckets(prefix=prefix, client=alt_client) nuke_prefixed_buckets(prefix=prefix, client=tenant_client) + def teardown(): alt_client = get_alt_client() tenant_client = get_tenant_client() @@ -247,6 +258,7 @@ def get_client(client_config=None): aws_secret_access_key=config.main_secret_key, endpoint_url=config.default_endpoint, use_ssl=config.default_is_secure, + verify=config.default_ssl_verify, config=client_config) return client @@ -256,6 +268,7 @@ def get_v2_client(): aws_secret_access_key=config.main_secret_key, endpoint_url=config.default_endpoint, use_ssl=config.default_is_secure, + verify=config.default_ssl_verify, config=Config(signature_version='s3')) return client @@ -269,6 +282,7 @@ def get_sts_client(client_config=None): endpoint_url=config.default_endpoint, region_name='', use_ssl=config.default_is_secure, + verify=config.default_ssl_verify, config=client_config) return client @@ -300,6 +314,7 @@ def get_iam_client(client_config=None): endpoint_url=config.default_endpoint, region_name='', use_ssl=config.default_is_secure, + verify=config.default_ssl_verify, config=client_config) return client @@ -312,6 +327,7 @@ def get_alt_client(client_config=None): aws_secret_access_key=config.alt_secret_key, endpoint_url=config.default_endpoint, use_ssl=config.default_is_secure, + verify=config.default_ssl_verify, config=client_config) return client @@ -324,6 +340,7 @@ def get_tenant_client(client_config=None): aws_secret_access_key=config.tenant_secret_key, endpoint_url=config.default_endpoint, use_ssl=config.default_is_secure, + verify=config.default_ssl_verify, config=client_config) return client @@ -334,6 +351,7 @@ def get_tenant_iam_client(): aws_access_key_id=config.tenant_access_key, aws_secret_access_key=config.tenant_secret_key, endpoint_url=config.default_endpoint, + verify=config.default_ssl_verify, use_ssl=config.default_is_secure) return client @@ -343,6 +361,7 @@ def get_unauthenticated_client(): aws_secret_access_key='', endpoint_url=config.default_endpoint, use_ssl=config.default_is_secure, + verify=config.default_ssl_verify, config=Config(signature_version=UNSIGNED)) return client @@ -352,6 +371,7 @@ def get_bad_auth_client(aws_access_key_id='badauth'): aws_secret_access_key='roflmao', endpoint_url=config.default_endpoint, use_ssl=config.default_is_secure, + verify=config.default_ssl_verify, config=Config(signature_version='s3v4')) return client @@ -364,6 +384,7 @@ def get_svc_client(client_config=None, svc='s3'): aws_secret_access_key=config.main_secret_key, endpoint_url=config.default_endpoint, use_ssl=config.default_is_secure, + verify=config.default_ssl_verify, config=client_config) return client @@ -394,7 +415,8 @@ def get_new_bucket_resource(name=None): aws_access_key_id=config.main_access_key, aws_secret_access_key=config.main_secret_key, endpoint_url=config.default_endpoint, - use_ssl=config.default_is_secure) + use_ssl=config.default_is_secure, + verify=config.default_ssl_verify) if name is None: name = get_new_bucket_name() bucket = s3.Bucket(name) @@ -444,6 +466,9 @@ def get_config_port(): def get_config_endpoint(): return config.default_endpoint +def get_config_ssl_verify(): + return config.default_ssl_verify + def get_main_aws_access_key(): return config.main_access_key diff --git a/s3tests_boto3/functional/test_s3.py b/s3tests_boto3/functional/test_s3.py index 5748773..7d7bb85 100644 --- a/s3tests_boto3/functional/test_s3.py +++ b/s3tests_boto3/functional/test_s3.py @@ -50,6 +50,7 @@ from . import ( get_config_host, get_config_port, get_config_endpoint, + get_config_ssl_verify, get_main_aws_access_key, get_main_aws_secret_key, get_main_display_name, @@ -2283,7 +2284,7 @@ def test_post_object_anonymous_request(): ("Content-Type" , "text/plain"),('file', ('bar'))]) client.create_bucket(ACL='public-read-write', Bucket=bucket_name) - r = requests.post(url, files = payload) + r = requests.post(url, files=payload, verify=get_config_ssl_verify()) eq(r.status_code, 204) response = client.get_object(Bucket=bucket_name, Key='foo.txt') body = _get_body(response) @@ -2325,7 +2326,7 @@ def test_post_object_authenticated_request(): ("acl" , "private"),("signature" , signature),("policy" , policy),\ ("Content-Type" , "text/plain"),('file', ('bar'))]) - r = requests.post(url, files = payload) + r = requests.post(url, files=payload, verify=get_config_ssl_verify()) eq(r.status_code, 204) response = client.get_object(Bucket=bucket_name, Key='foo.txt') body = _get_body(response) @@ -2366,7 +2367,7 @@ def test_post_object_authenticated_no_content_type(): ("acl" , "private"),("signature" , signature),("policy" , policy),\ ('file', ('bar'))]) - r = requests.post(url, files = payload) + r = requests.post(url, files=payload, verify=get_config_ssl_verify()) eq(r.status_code, 204) response = client.get_object(Bucket=bucket_name, Key="foo.txt") body = _get_body(response) @@ -2408,7 +2409,7 @@ def test_post_object_authenticated_request_bad_access_key(): ("acl" , "private"),("signature" , signature),("policy" , policy),\ ("Content-Type" , "text/plain"),('file', ('bar'))]) - r = requests.post(url, files = payload) + r = requests.post(url, files=payload, verify=get_config_ssl_verify()) eq(r.status_code, 403) @attr(resource='object') @@ -2425,7 +2426,7 @@ def test_post_object_set_success_code(): ("success_action_status" , "201"),\ ("Content-Type" , "text/plain"),('file', ('bar'))]) - r = requests.post(url, files = payload) + r = requests.post(url, files=payload, verify=get_config_ssl_verify()) eq(r.status_code, 201) message = ET.fromstring(r.content).find('Key') eq(message.text,'foo.txt') @@ -2444,7 +2445,7 @@ def test_post_object_set_invalid_success_code(): ("success_action_status" , "404"),\ ("Content-Type" , "text/plain"),('file', ('bar'))]) - r = requests.post(url, files = payload) + r = requests.post(url, files=payload, verify=get_config_ssl_verify()) eq(r.status_code, 204) content = r.content.decode() eq(content,'') @@ -2486,7 +2487,7 @@ def test_post_object_upload_larger_than_chunk(): ("acl" , "private"),("signature" , signature),("policy" , policy),\ ("Content-Type" , "text/plain"),('file', foo_string)]) - r = requests.post(url, files = payload) + r = requests.post(url, files=payload, verify=get_config_ssl_verify()) eq(r.status_code, 204) response = client.get_object(Bucket=bucket_name, Key='foo.txt') body = _get_body(response) @@ -2526,7 +2527,7 @@ def test_post_object_set_key_from_filename(): ("acl" , "private"),("signature" , signature),("policy" , policy),\ ("Content-Type" , "text/plain"),('file', ('foo.txt', 'bar'))]) - r = requests.post(url, files = payload) + r = requests.post(url, files=payload, verify=get_config_ssl_verify()) eq(r.status_code, 204) response = client.get_object(Bucket=bucket_name, Key='foo.txt') body = _get_body(response) @@ -2567,7 +2568,7 @@ def test_post_object_ignored_header(): ("acl" , "private"),("signature" , signature),("policy" , policy),\ ("Content-Type" , "text/plain"),("x-ignore-foo" , "bar"),('file', ('bar'))]) - r = requests.post(url, files = payload) + r = requests.post(url, files=payload, verify=get_config_ssl_verify()) eq(r.status_code, 204) @attr(resource='object') @@ -2606,7 +2607,7 @@ def test_post_object_case_insensitive_condition_fields(): ("aCl" , "private"),("signature" , signature),("pOLICy" , policy),\ ("Content-Type" , "text/plain"),('file', ('bar'))]) - r = requests.post(url, files = payload) + r = requests.post(url, files=payload, verify=get_config_ssl_verify()) eq(r.status_code, 204) @attr(resource='object') @@ -2643,7 +2644,7 @@ def test_post_object_escaped_field_values(): ("acl" , "private"),("signature" , signature),("policy" , policy),\ ("Content-Type" , "text/plain"),('file', ('bar'))]) - r = requests.post(url, files = payload) + r = requests.post(url, files=payload, verify=get_config_ssl_verify()) eq(r.status_code, 204) response = client.get_object(Bucket=bucket_name, Key='\$foo.txt') body = _get_body(response) @@ -2688,7 +2689,7 @@ def test_post_object_success_redirect_action(): ("Content-Type" , "text/plain"),("success_action_redirect" , redirect_url),\ ('file', ('bar'))]) - r = requests.post(url, files = payload) + r = requests.post(url, files=payload, verify=get_config_ssl_verify()) eq(r.status_code, 200) url = r.url response = client.get_object(Bucket=bucket_name, Key='foo.txt') @@ -2730,7 +2731,7 @@ def test_post_object_invalid_signature(): ("acl" , "private"),("signature" , signature),("policy" , policy),\ ("Content-Type" , "text/plain"),('file', ('bar'))]) - r = requests.post(url, files = payload) + r = requests.post(url, files=payload, verify=get_config_ssl_verify()) eq(r.status_code, 403) @attr(resource='object') @@ -2767,7 +2768,7 @@ def test_post_object_invalid_access_key(): ("acl" , "private"),("signature" , signature),("policy" , policy),\ ("Content-Type" , "text/plain"),('file', ('bar'))]) - r = requests.post(url, files = payload) + r = requests.post(url, files=payload, verify=get_config_ssl_verify()) eq(r.status_code, 403) @attr(resource='object') @@ -2804,7 +2805,7 @@ def test_post_object_invalid_date_format(): ("acl" , "private"),("signature" , signature),("policy" , policy),\ ("Content-Type" , "text/plain"),('file', ('bar'))]) - r = requests.post(url, files = payload) + r = requests.post(url, files=payload, verify=get_config_ssl_verify()) eq(r.status_code, 400) @attr(resource='object') @@ -2840,7 +2841,7 @@ def test_post_object_no_key_specified(): ("acl" , "private"),("signature" , signature),("policy" , policy),\ ("Content-Type" , "text/plain"),('file', ('bar'))]) - r = requests.post(url, files = payload) + r = requests.post(url, files=payload, verify=get_config_ssl_verify()) eq(r.status_code, 400) @attr(resource='object') @@ -2877,7 +2878,7 @@ def test_post_object_missing_signature(): ("acl" , "private"),("policy" , policy),\ ("Content-Type" , "text/plain"),('file', ('bar'))]) - r = requests.post(url, files = payload) + r = requests.post(url, files=payload, verify=get_config_ssl_verify()) eq(r.status_code, 400) @attr(resource='object') @@ -2913,7 +2914,7 @@ def test_post_object_missing_policy_condition(): ("acl" , "private"),("signature" , signature),("policy" , policy),\ ("Content-Type" , "text/plain"),('file', ('bar'))]) - r = requests.post(url, files = payload) + r = requests.post(url, files=payload, verify=get_config_ssl_verify()) eq(r.status_code, 403) @attr(resource='object') @@ -2951,7 +2952,7 @@ def test_post_object_user_specified_header(): ("acl" , "private"),("signature" , signature),("policy" , policy),\ ("Content-Type" , "text/plain"),('x-amz-meta-foo' , 'barclamp'),('file', ('bar'))]) - r = requests.post(url, files = payload) + r = requests.post(url, files=payload, verify=get_config_ssl_verify()) eq(r.status_code, 204) response = client.get_object(Bucket=bucket_name, Key='foo.txt') eq(response['Metadata']['foo'], 'barclamp') @@ -2991,7 +2992,7 @@ def test_post_object_request_missing_policy_specified_field(): ("acl" , "private"),("signature" , signature),("policy" , policy),\ ("Content-Type" , "text/plain"),('file', ('bar'))]) - r = requests.post(url, files = payload) + r = requests.post(url, files=payload, verify=get_config_ssl_verify()) eq(r.status_code, 403) @attr(resource='object') @@ -3028,7 +3029,7 @@ def test_post_object_condition_is_case_sensitive(): ("acl" , "private"),("signature" , signature),("policy" , policy),\ ("Content-Type" , "text/plain"),('file', ('bar'))]) - r = requests.post(url, files = payload) + r = requests.post(url, files=payload, verify=get_config_ssl_verify()) eq(r.status_code, 400) @attr(resource='object') @@ -3065,7 +3066,7 @@ def test_post_object_expires_is_case_sensitive(): ("acl" , "private"),("signature" , signature),("policy" , policy),\ ("Content-Type" , "text/plain"),('file', ('bar'))]) - r = requests.post(url, files = payload) + r = requests.post(url, files=payload, verify=get_config_ssl_verify()) eq(r.status_code, 400) @attr(resource='object') @@ -3102,7 +3103,7 @@ def test_post_object_expired_policy(): ("acl" , "private"),("signature" , signature),("policy" , policy),\ ("Content-Type" , "text/plain"),('file', ('bar'))]) - r = requests.post(url, files = payload) + r = requests.post(url, files=payload, verify=get_config_ssl_verify()) eq(r.status_code, 403) @attr(resource='object') @@ -3139,7 +3140,7 @@ def test_post_object_invalid_request_field_value(): ("acl" , "private"),("signature" , signature),("policy" , policy),\ ("Content-Type" , "text/plain"),('x-amz-meta-foo' , 'barclamp'),('file', ('bar'))]) - r = requests.post(url, files = payload) + r = requests.post(url, files=payload, verify=get_config_ssl_verify()) eq(r.status_code, 403) @attr(resource='object') @@ -3176,7 +3177,7 @@ def test_post_object_missing_expires_condition(): ("acl" , "private"),("signature" , signature),("policy" , policy),\ ("Content-Type" , "text/plain"),('file', ('bar'))]) - r = requests.post(url, files = payload) + r = requests.post(url, files=payload, verify=get_config_ssl_verify()) eq(r.status_code, 400) @attr(resource='object') @@ -3205,7 +3206,7 @@ def test_post_object_missing_conditions_list(): ("acl" , "private"),("signature" , signature),("policy" , policy),\ ("Content-Type" , "text/plain"),('file', ('bar'))]) - r = requests.post(url, files = payload) + r = requests.post(url, files=payload, verify=get_config_ssl_verify()) eq(r.status_code, 400) @attr(resource='object') @@ -3242,7 +3243,7 @@ def test_post_object_upload_size_limit_exceeded(): ("acl" , "private"),("signature" , signature),("policy" , policy),\ ("Content-Type" , "text/plain"),('file', ('bar'))]) - r = requests.post(url, files = payload) + r = requests.post(url, files=payload, verify=get_config_ssl_verify()) eq(r.status_code, 400) @attr(resource='object') @@ -3279,7 +3280,7 @@ def test_post_object_missing_content_length_argument(): ("acl" , "private"),("signature" , signature),("policy" , policy),\ ("Content-Type" , "text/plain"),('file', ('bar'))]) - r = requests.post(url, files = payload) + r = requests.post(url, files=payload, verify=get_config_ssl_verify()) eq(r.status_code, 400) @attr(resource='object') @@ -3316,7 +3317,7 @@ def test_post_object_invalid_content_length_argument(): ("acl" , "private"),("signature" , signature),("policy" , policy),\ ("Content-Type" , "text/plain"),('file', ('bar'))]) - r = requests.post(url, files = payload) + r = requests.post(url, files=payload, verify=get_config_ssl_verify()) eq(r.status_code, 400) @attr(resource='object') @@ -3353,7 +3354,7 @@ def test_post_object_upload_size_below_minimum(): ("acl" , "private"),("signature" , signature),("policy" , policy),\ ("Content-Type" , "text/plain"),('file', ('bar'))]) - r = requests.post(url, files = payload) + r = requests.post(url, files=payload, verify=get_config_ssl_verify()) eq(r.status_code, 400) @attr(resource='object') @@ -3386,7 +3387,7 @@ def test_post_object_empty_conditions(): ("acl" , "private"),("signature" , signature),("policy" , policy),\ ("Content-Type" , "text/plain"),('file', ('bar'))]) - r = requests.post(url, files = payload) + r = requests.post(url, files=payload, verify=get_config_ssl_verify()) eq(r.status_code, 400) @attr(resource='object') @@ -3943,7 +3944,7 @@ def test_object_raw_get_x_amz_expires_not_expired(): url = client.generate_presigned_url(ClientMethod='get_object', Params=params, ExpiresIn=100000, HttpMethod='GET') - res = requests.get(url).__dict__ + res = requests.get(url, verify=get_config_ssl_verify()).__dict__ eq(res['status_code'], 200) @attr(resource='object') @@ -3957,7 +3958,7 @@ def test_object_raw_get_x_amz_expires_out_range_zero(): url = client.generate_presigned_url(ClientMethod='get_object', Params=params, ExpiresIn=0, HttpMethod='GET') - res = requests.get(url).__dict__ + res = requests.get(url, verify=get_config_ssl_verify()).__dict__ eq(res['status_code'], 403) @attr(resource='object') @@ -3971,7 +3972,7 @@ def test_object_raw_get_x_amz_expires_out_max_range(): url = client.generate_presigned_url(ClientMethod='get_object', Params=params, ExpiresIn=609901, HttpMethod='GET') - res = requests.get(url).__dict__ + res = requests.get(url, verify=get_config_ssl_verify()).__dict__ eq(res['status_code'], 403) @attr(resource='object') @@ -3985,7 +3986,7 @@ def test_object_raw_get_x_amz_expires_out_positive_range(): url = client.generate_presigned_url(ClientMethod='get_object', Params=params, ExpiresIn=-7, HttpMethod='GET') - res = requests.get(url).__dict__ + res = requests.get(url, verify=get_config_ssl_verify()).__dict__ eq(res['status_code'], 403) @@ -4044,7 +4045,7 @@ def test_object_raw_put_authenticated_expired(): url = client.generate_presigned_url(ClientMethod='put_object', Params=params, ExpiresIn=-1000, HttpMethod='PUT') # params wouldn't take a 'Body' parameter so we're passing it in here - res = requests.put(url,data="foo").__dict__ + res = requests.put(url, data="foo", verify=get_config_ssl_verify()).__dict__ eq(res['status_code'], 403) def check_bad_bucket_name(bucket_name): @@ -7393,7 +7394,7 @@ def test_set_cors(): eq(status, 404) def _cors_request_and_check(func, url, headers, expect_status, expect_allow_origin, expect_allow_methods): - r = func(url, headers=headers) + r = func(url, headers=headers, verify=get_config_ssl_verify()) eq(r.status_code, expect_status) assert r.headers.get('access-control-allow-origin', None) == expect_allow_origin @@ -10179,7 +10180,7 @@ def test_encryption_sse_c_post_object_authenticated_request(): ('x-amz-server-side-encryption-customer-key-md5', 'DWygnHRtgiJ77HCm+1rvHw=='), \ ('file', ('bar'))]) - r = requests.post(url, files = payload) + r = requests.post(url, files=payload, verify=get_config_ssl_verify()) eq(r.status_code, 204) get_headers = { @@ -10468,7 +10469,7 @@ def test_sse_kms_post_object_authenticated_request(): ('x-amz-server-side-encryption-aws-kms-key-id', kms_keyid), \ ('file', ('bar'))]) - r = requests.post(url, files = payload) + r = requests.post(url, files=payload, verify=get_config_ssl_verify()) eq(r.status_code, 204) response = client.get_object(Bucket=bucket_name, Key='foo.txt') @@ -11174,7 +11175,7 @@ def test_post_object_tags_anonymous_request(): ('file', ('bar')), ]) - r = requests.post(url, files = payload) + r = requests.post(url, files=payload, verify=get_config_ssl_verify()) eq(r.status_code, 204) response = client.get_object(Bucket=bucket_name, Key=key_name) body = _get_body(response) @@ -11226,7 +11227,7 @@ def test_post_object_tags_authenticated_request(): ("Content-Type" , "text/plain"), ('file', ('bar'))]) - r = requests.post(url, files = payload) + r = requests.post(url, files=payload, verify=get_config_ssl_verify()) eq(r.status_code, 204) response = client.get_object(Bucket=bucket_name, Key='foo.txt') body = _get_body(response)